Cyber Security Committee report continued
• A review of whether external presenters or advisers/consultants could attend future Committee meetings • More frequent updates on the nature of the changing cyber threat landscape, e.g. what are the current major topics within cyber and the significant threats, plus recent security incidents that organisations have experienced As an output of both this and previous evaluations, the Committee, along with the Board, reaffirmed that cyber security and data protection are sufficiently important risks for the business and that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue. Committee activities during the year • The Committee continues to make sure that the Group’s resilience to cyber-attack is maintained and improved as the threat landscape changes. In terms of information security activities, the establishment of Global Technical Services (GTS) in November 2021 and the close working between the CISO and security team in GTS – at full strength after successful internal recruitment activities in the summer and autumn – allowed us to focus on removing or remediating some of our legacy technologies and simplifying our IT estate, while at the same time improving our security visibility across the Board. • A new ICT asset management system has been introduced and this will be exceptionally valuable for ongoing threat and vulnerability management and will underpin security activities in the future. • We conducted a Cyber Security Review against the NIST Framework in February 2022, and we are working through the matters arising from that to make improvements where necessary. We have also made greater use of other third party benchmarks like Microsoft’s Secure Score to help prioritise security improvements. • On the threat detection side, we continue to benefit from our global SOC’s leading detection methods and techniques, and have just begun to transition to making more use of the Group’s fast-developing Microsoft XDR offering. In terms of our global data protection programme and internal data privacy activities, our three year strategy is underway to pave the way for our intended application for Binding Corporate Rules. Binding Corporate Rules provide colleagues and customers alike with a sense of trust through demonstration of our commitment to protecting personal data, wherever in the world it may be processed during our business activities. The data protection regulatory landscape is continually changing, particularly in light of the UK GDPR, and the team is working closely to stay abreast of such changes. Noteworthy highlights since our previous report include: • A suite of improvements are either in progress or have been made with the goal of furthering our Data Protection by Design approach, and to make the Data Protection triage assessment process more efficient and easier for the business to engage with. This includes a new ticketing/work log system. The data protection team continues to work closely with IT to embed these improvements into its processes.
The Cyber Security Committee’s objectives and responsibilities
The Cyber Security Committee is responsible for assessing the performance of the Group’s internal security and defences and as such its duties are to: • Oversee and advise the Board on the current cyber risk exposure of the Group and future cyber risk strategy • Review at least annually the Group’s cyber security breach response and crisis management plan • Review reports on any cyber security incidents and the adequacy of resulting actions • Receive and consider the regular update reports from the CISO and CDPGO and ensure the CISO and CDPGO are given the right of direct access to the Committee • Consider and recommend actions in respect of all cyber and data protection risk issues escalated to it • Keep under review the effectiveness of the Group’s controls, services and products to analyse potential vulnerabilities that could be exploited • Regularly assess what are the Group’s most valuable intangible assets and the most sensitive Group and customer information and assess whether the controls in place sufficiently protect those assets and information • Review the Group’s ability to identify and manage new cyber risks • Assess the adequacy of resources and funding for data protection and cyber security defence and control activities • Regularly review the cyber and data protection risk posed by third parties including outsourced IT and other partners • Oversee cyber security and data protection due diligence undertaken as part of an acquisition and advise the Board of the risk exposure • Annually assess the adequacy of the Group’s cyber insurance cover The Committee’s terms of reference can be found in the Investor Relations > Corporate Governance section of the Company’s website (www.nccgroupplc.com/investor-relations/corporate-governance). The terms of reference are reviewed annually and updated when necessary. Committee effectiveness During the year, the Cyber Security Committee carried out an internal self-evaluation on its effectiveness, as it continues to mature since its formation in November 2016. The Committee was found to be working effectively and I am satisfied that the degree of rigour and challenge applied in performing the Committee’s responsibilities is appropriate and effective and continues to improve. In terms of specific focus areas for the year ahead we agreed on the following: • Continuing to take the papers/presentations as read and focusing on more value-adding dialogue, discussion and interaction rather than going through the Committee briefing packs • Improving the Committee’s knowledge and understanding of how NCC Group actually uses the tools and processes that it offers to clients
104
NCC Group plc — Annual report and accounts for the year ended 31 May 2022
Made with FlippingBook Online newsletter maker